6.4.0-M1

⏪ Breaking Changes

• Adapt to form data not adding charset if it is UTF-8 #15275

⭐ New Features

• AclAuthorizationStrategyImpl should use RoleHierarchy #4186
• Add CachingRelyingPartyRegistrationRepository #15341
• Add interface IterableRelyingPartyRegistrationRepository or similar #15027
• Add Kotlin support to DefaultMethodSecurityExpressionHandler #15093
• Add Kotlin support to PreFilter and PostFilter annotations #15095
• Add RequestMatcher for matching parameters #15342
• Add saml2Logout Kotlin DSL support #14935
• Add SecurityContextRepository to Kotlin Reactive DSL #15013
• Add setter method for userDetailsChecker in CasAuthenticationProvider(#10277) #15047
• Add support checking AnyRequestMatcher securityFilterChains #15221
• Add support configuring OAuth2AuthorizationRequestResolver as bean #15237
• Add support remember-me cookie customization #15203
• Adds missing translated messages for PT-BR #15181
• Adjust DefaultSecurityFilterChain Logging Level and Simplify Filter Logging #15096
• Clarify the behavior of Concurrent Session Management when an IdP is involved #15206
• CSRF example for Single-Page Apps could be improved #15105
• Deprecate authorizeRequests from Kotlin DSL #15173
• Deprecate OpenSamlRelyingPartyRegistration #15343
• Description of securityMatcher and multiple filter chains has now more details #15029
• Document the role of CredentialsContainer #15322
• Expose user name attribute name in OAuth2UserAuthority #15012
• LDAP bind failures due to invalid credentials don't cause AuthenticationFailure events to be fired #3834
• Mention all required dependencies in LDAP documentation #15246
• OIDC Backchannel Logout should allow logout tokens having typ header of logout+jwt #15003
• Remove Deprecated Usages for Spring LDAP #15274
• SAML metadata Content-Type should be application/samlmetadata+xml #15147
• Support GrantedAuthorityDefaults Bean in authorizeHttpRequests Kotlin DSL #15171
• Support RoleHierarchy Bean in authorizeHttpRequests Kotlin DSL #15136
• Support signing SAML metadata #14916
• Update Kotlin example for MockMvc and Spring Security #15177
• Update the OAuth2 jwt and opaque Resource Server documentation #15362
• Use Javadoc macro #15386

🪲 Bug Fixes

• Assert WebSession is not null #15180
• Docs: Fix import for reactive example with Kotlin DSL #15200
• Fix Compromised Password Checker Docs Sample Not Working #15306
• Fix Java example in multitenanci.adoc #15164
• Fix link in the In-Memory Authentication documentation #14689
• Fix malformed list in "Using Method Parameters" documentation #15325
• Fix typos and formatting in documentation #15353
• Fix wrong explanation for @PostAuthorize annotation #15222
• Resolving invalid CSRF token values is not consistent #15187
• The docs reference #7537 which is closed #15263

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.0-alpha.3 to 1.0.0-alpha.4 in /docs #15158
• Bump antora from 3.2.0-alpha.4 to 3.2.0-alpha.5 in /docs #15332
• Bump com.fasterxml.jackson:jackson-bom from 2.17.1 to 2.17.2 #15371
• Bump com.github.spullara.mustache.java:compiler from 0.9.13 to 0.9.14 #15370
• Bump com.gradle.develocity from 3.17.4 to 3.17.5 #15242
• Bump Gradle Wrapper from 8.7 to 8.8 #15188
• Bump io-spring-javaformat from 0.0.41 to 0.0.42 #15214
• Bump io.projectreactor:reactor-bom from 2023.0.7 to 2023.0.8 #15387
• Bump org-apache-maven-resolver from 1.9.20 to 1.9.21 #15369
• Bump org-eclipse-jetty from 11.0.21 to 11.0.22 #15357
• Bump org.apache.maven:maven-resolver-provider from 3.9.6 to 3.9.7 #15169
• Bump org.apache.maven:maven-resolver-provider from 3.9.7 to 3.9.8 #15270
• Bump org.hibernate.orm:hibernate-core from 6.4.8.Final to 6.4.9.Final #15234
• Bump org.hsqldb:hsqldb from 2.7.2 to 2.7.3 #15190
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.15 to 4.33.16 #15175
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.16 to 4.33.17 #15215
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.17 to 4.33.19 #15259
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.19 to 4.33.20 #15269
• Bump org.junit:junit-bom from 5.10.2 to 5.10.3 #15313
• Bump org.skyscreamer:jsonassert from 1.5.1 to 1.5.3 #15334
• Bump org.springframework.data:spring-data-bom from 2024.0.0 to 2024.0.1 #15258
• Bump org.springframework.data:spring-data-bom from 2024.0.1 to 2024.0.2 #15420
• Bump org.springframework.ldap:spring-ldap-core from 3.2.3 to 3.2.4 #15250
• Bump org.springframework:spring-framework-bom from 6.1.8 to 6.1.9 #15249
• Bump org.springframework:spring-framework-bom from 6.2.0-M4 to 6.2.0-M5 #15403
• Upgrade to Spring Framework 6.2.0-M4 #15266

🔩 Build Updates

• Automate check of expected branch version #15311
• Bump spring-io/spring-doc-actions from 5a57bcc6a0da2a1474136cf29571b277850432bc to 852920ba3fb1f28b35a2f13201133bc00ef33677 #15289
• Configure Build to Confirm UnboundId 7 Compatibility #15400
• Fixing URL on README #15350

❤️ Contributors

Thank you to all the contributors who worked on this release:

@CrazyParanoid, @Doremi203, @Junhyunny, @Kyoungwoong, @Marcono1234, @Seungpan...

6.3.1

⭐ New Features

• Clarify the behavior of Concurrent Session Management when an IdP is involved #15071
• Mention all required dependencies in LDAP documentation #15245
• Minor docs fix #15144

🪲 Bug Fixes

• AbstractRequestMatcherRegistry#requestMatchers should pick MvcRequestMatcher when using MockMvc #15211
• Assert WebSession is not null #15179
• DispatcherServletDelegatingRequestMatcher causes errors when running tests with MockMvc #15197
• Documentation clarification after #12783 has been closed is needed. #15208
• Fix Java example in multitenanci.adoc #15151
• Fix Kotlin example in authorize-http-requests.adoc #15129
• Incorrect documentation for OIDC Back-Channel Logout #15212
• IpAddressMatcher.matches(String address) still accepts URLs #15172
• LDIF file on official documentation breaks the startup process #15167
• Link to article with remember-me-persistent-token strategy is broken #15149
• OpenSaml4AssertionValidator is not respecting clock skew settings #15183
• Resolving invalid CSRF token values is not consistent #15186
• spring-security/docs/modules/ROOT/pages/servlet/authorization /method-security #15143
• SpringOpaqueTokenIntrospector does not add scopes as granted authorities properly #15165

🔨 Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.12.6 to 1.12.7 #15225
• Bump io.projectreactor:reactor-bom from 2023.0.6 to 2023.0.7 #15229
• Bump org.apache.directory.shared:shared-ldap from 0.9.15 to 0.9.19 #15161
• Bump org.apache.maven:maven-resolver-provider from 3.9.6 to 3.9.7 #15168
• Bump org.gretty:gretty from 4.1.3 to 4.1.4 #15133
• Bump org.hibernate.orm:hibernate-core from 6.4.8.Final to 6.4.9.Final #15228
• Bump org.hsqldb:hsqldb from 2.7.2 to 2.7.3 #15193
• Bump org.springframework.data:spring-data-bom from 2024.0.0 to 2024.0.1 #15260
• Bump org.springframework.ldap:spring-ldap-core from 3.2.3 to 3.2.4 #15251
• Bump org.springframework:spring-framework-bom from 6.1.7 to 6.1.8 #15134
• Bump org.springframework:spring-framework-bom from 6.1.8 to 6.1.9 #15252

🔩 Build Updates

• Bump @antora/collector-extension from 1.0.0-alpha.3 to 1.0.0-alpha.4 in /docs #15159
• Bump @springio/antora-extensions from 1.10.0 to 1.11.1 in /docs #15141
• Bump com.gradle.develocity from 3.17.4 to 3.17.5 #15239
• Bump gradle/gradle-build-action from 2 to 3 #15157
• Bump io-spring-javaformat from 0.0.41 to 0.0.42 #15219
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.15 to 4.33.16 #15176
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.16 to 4.33.17 #15218
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.17 to 4.33.19 #15261
• Bump spring-io/spring-doc-actions from 17ed79ea5fbd65813c69ef1062a024d4a37ff0ca to 5a57bcc6a0da2a1474136cf29571b277850432bc #15139

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot] and @theHacker

6.2.5

⭐ New Features

• doc: added hint to declare GrantedAuthorityDefaults as infrastructure bean #15063
• Enhance Logging in RequestMatcherDelegatingAuthorizationManage #14922
• InMemoryUserDetailsManager: consider improving the error message when no PasswordEncoding has been specified #14974
• Mention all required dependencies in LDAP documentation #15244

🪲 Bug Fixes

• Assert WebSession is not null #15178
• AbstractRequestMatcherRegistry#requestMatchers should pick MvcRequestMatcher when using MockMvc #15210
• DispatcherServletDelegatingRequestMatcher causes errors when running tests with MockMvc #15196
• Fix Java example in multitenanci.adoc #15150
• Incorrect documentation for OIDC Back-Channel Logout #15198
• InMemoryUserDetailsManager Setting User Roles in Official Documentation Example Causes Error #14972
• LDIF file on official documentation breaks the startup process #15166
• Link to article with remember-me-persistent-token strategy is broken #15148
• OIDC Logout section is not shown in the navbar #15112
• OpenSaml4AssertionValidator is not respecting clock skew settings #15022
• ProxyRestrictionConditionValidator is missing in the OpenSaml4AuthenticationProvider.SAML20AssertionValidators class #14958
• Resolving invalid CSRF token values is not consistent #15185
• spring-security/docs/modules/ROOT/pages/servlet/authorization /method-security #15045
• Wrong information for RequestCacheAwareFilter in the Spring Security documentation. #14995

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.17.0 to 2.17.1 #15011
• Bump io.micrometer:micrometer-observation from 1.12.5 to 1.12.6 #15069
• Bump io.micrometer:micrometer-observation from 1.12.6 to 1.12.7 #15224
• Bump io.mockk:mockk from 1.13.10 to 1.13.11 #15079
• Bump io.projectreactor:reactor-bom from 2023.0.5 to 2023.0.6 #15075
• Bump io.projectreactor:reactor-bom from 2023.0.6 to 2023.0.7 #15232
• Bump org-apache-maven-resolver from 1.9.18 to 1.9.19 #14939
• Bump org-apache-maven-resolver from 1.9.19 to 1.9.20 #15031
• Bump org-aspectj from 1.9.22 to 1.9.22.1 #15049
• Bump org-eclipse-jetty from 11.0.20 to 11.0.21 #15080
• Bump org.apache.maven:maven-resolver-provider from 3.9.6 to 3.9.7 #15170
• Bump org.hibernate.orm:hibernate-core from 6.4.4.Final to 6.4.5.Final #14949
• Bump org.hibernate.orm:hibernate-core from 6.4.5.Final to 6.4.6.Final #14953
• Bump org.hibernate.orm:hibernate-core from 6.4.6.Final to 6.4.7.Final #14960
• Bump org.hibernate.orm:hibernate-core from 6.4.7.Final to 6.4.8.Final #14981
• Bump org.hsqldb:hsqldb from 2.7.2 to 2.7.3 #15192
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.23 to 1.9.24 #15024
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.23 to 1.9.24 #15023
• Bump org.opensaml:opensaml-core4 from 4.3.1 to 4.3.2 #14947
• Bump org.springframework.data:spring-data-bom from 2023.1.5 to 2023.1.6 #15101
• Bump org.springframework.data:spring-data-bom from 2023.1.6 to 2023.1.7 #15262
• Bump org.springframework.ldap:spring-ldap-core from 3.2.3 to 3.2.4 #15248
• Bump org.springframework:spring-framework-bom from 6.1.6 to 6.1.7 #15081
• Bump org.springframework:spring-framework-bom from 6.1.7 to 6.1.8 #15132
• Bump org.springframework:spring-framework-bom from 6.1.8 to 6.1.9 #15247
• Update to OAuth2 OIDC SDK 9.43.4 #14920
• Upgrade nimbus-jose-jwt to version 9.37.3 #14836

🔩 Build Updates

• Attach Antora Docs to Pull Requests #15060
• Bump @antora/collector-extension from 1.0.0-alpha.3 to 1.0.0-alpha.4 in /docs #15163
• Bump @springio/antora-extensions from 1.10.0 to 1.11.1 in /docs #15142
• Bump com.github.spullara.mustache.java:compiler from 0.9.11 to 0.9.13 #15032
• Bump com.gradle.develocity from 3.17.2 to 3.17.3 #15050
• Bump com.gradle.develocity from 3.17.3 to 3.17.4 #15102
• Bump com.gradle.develocity from 3.17.4 to 3.17.5 #15241
• Bump io-spring-javaformat from 0.0.41 to 0.0.42 #15216
• Bump io.spring.ge.conventions from 0.0.16 to 0.0.17 #14961
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.2 to 1.0.3 #14924
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.13 to 4.33.15 #14950
• Consider Adding a Build Updates section to the release changelog #15038

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot]

5.8.13

⭐ New Features

• doc: added hint to declare GrantedAuthorityDefaults as infrastructure bean #14779
• Enhance Logging in RequestMatcherDelegatingAuthorizationManage #14837
• Improve PasswordEncoder Error Messaging #14951
• InMemoryUserDetailsManager: consider improving the error message when no PasswordEncoding has been specified #14880
• Mention all required dependencies in LDAP documentation #15235
• Remove useBase64 parameter #14862

🪲 Bug Fixes

• AbstractRequestMatcherRegistry#requestMatchers should pick MvcRequestMatcher when using MockMvc #13849
• Always Use Request-Level ServletContext to Evaluate Request Matcher Paths #15195
• Assert WebSession is not null #14977
• Conditionally Add Conventions Plugin #15152
• DispatcherServletDelegatingRequestMatcher causes errors when there is more than one ServletContext #14418
• Fix Java example in multitenanci.adoc #15146
• LDIF file on official documentation breaks the startup process #15089
• Link to article with remember-me-persistent-token strategy is broken #14358
• ProxyRestrictionConditionValidator is missing in the OpenSaml4AuthenticationProvider.SAML20AssertionValidators class #14931
• Resolving invalid CSRF token values is not consistent #15184
• Restore Build Scan Capability #15120
• Wrong information for RequestCacheAwareFilter in the Spring Security documentation. #14855

🔨 Dependency Upgrades

• Bump io.projectreactor.netty:reactor-netty from 1.0.44 to 1.0.45 #15074
• Bump io.projectreactor.netty:reactor-netty from 1.0.45 to 1.0.46 #15231
• Bump io.projectreactor.tools:blockhound from 1.0.8.RELEASE to 1.0.9.RELEASE #14923
• Bump io.projectreactor:reactor-bom from 2020.0.43 to 2020.0.44 #15073
• Bump io.projectreactor:reactor-bom from 2020.0.44 to 2020.0.45 #15230
• Bump org.hsqldb:hsqldb from 2.7.2 to 2.7.3 #15191
• Bump org.springframework:spring-framework-bom from 5.3.34 to 5.3.35 #15085
• Bump org.springframework:spring-framework-bom from 5.3.35 to 5.3.36 #15135
• Bump org.springframework:spring-framework-bom from 5.3.36 to 5.3.37 #15253
• Bump slackapi/slack-github-action from 1.25.0 to 1.26.0 #14938

🔩 Build Updates

• Attach Antora Docs to Pull Requests #14992
• Bump @antora/collector-extension from 1.0.0-alpha.3 to 1.0.0-alpha.4 in /docs #15160
• Bump @springio/antora-extensions from 1.10.0 to 1.11.1 in /docs #15140
• Bump com.github.spullara.mustache.java:compiler from 0.9.11 to 0.9.13 #15001
• Bump com.gradle.develocity from 3.17.2 to 3.17.4 #15099
• Bump com.gradle.develocity from 3.17.4 to 3.17.5 #15240
• Bump io.spring.ge.conventions from 0.0.16 to 0.0.17 #14959
• Consider Adding a Build Updates section to the release changelog #14485
• Migrate to com.gradle.develocity plugin #15021
• Update Gradle Enterprise plugin to 3.17.2 #15020

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @caio-henrique
• @jzheaux
• @dukbong
• @Harsh4902
• @abimael-turing
• @dependabot[bot]
• @sheriumair
• @paschm

6.3.0

⭐ New Features

• Add getters to OAuth2AuthorizedClientId #13648
• Add timeout defaults to JwtDecoders #14890
• doc: added hint to declare GrantedAuthorityDefaults as infrastructure bean #15065
• Improve logging for Global Authentication #14711
• Minor docs fix #15043
• Minor Documentation update on import needed for using Kotlin DSL #14969
• OAuth2 Client Authentication docs are incomplete #14982
• Proofread CasAuthenticationFilter documentation #14883
• Replace "Spring Boot 2.x" with "Spring Boot" #14919
• Simplify Disabling application/x-www-form-urlencoded Encoding Client ID and Secret #14859
• Support Specifying Identifier for relying-party-registrations Element #14487
• Update What's New in 6.3 #14918

🪲 Bug Fixes

• Do Not Invalidate Current Session When Its Registered #15066
• Fix MethodAuthorizationDeniedPostProcessor does not exist in java doc #14955
• fix docs error in AuthenticatedReactiveAuthorizationManager #14979
• OIDC Logout section is not shown in the navbar #15113
• Wrong information for RequestCacheAwareFilter in the Spring Security documentation. #14996

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.5 to 1.5.6 #14926
• Bump com.fasterxml.jackson:jackson-bom from 2.17.0 to 2.17.1 #15010
• Bump com.gradle.develocity from 3.17.2 to 3.17.3 #15051
• Bump com.gradle.develocity from 3.17.3 to 3.17.4 #15104
• Bump io.micrometer:micrometer-observation from 1.12.5 to 1.12.6 #15068
• Bump io.mockk:mockk from 1.13.10 to 1.13.11 #15086
• Bump io.projectreactor:reactor-bom from 2023.0.5 to 2023.0.6 #15076
• Bump org-apache-maven-resolver from 1.9.18 to 1.9.19 #14940
• Bump org-apache-maven-resolver from 1.9.19 to 1.9.20 #14987
• Bump org-aspectj from 1.9.22 to 1.9.22.1 #15052
• Bump org-bouncycastle from 1.78 to 1.78.1 #14929
• Bump org-eclipse-jetty from 11.0.20 to 11.0.21 #15087
• Bump org.hibernate.orm:hibernate-core from 6.4.4.Final to 6.4.5.Final #14948
• Bump org.hibernate.orm:hibernate-core from 6.4.5.Final to 6.4.6.Final #14952
• Bump org.hibernate.orm:hibernate-core from 6.4.6.Final to 6.4.7.Final #14962
• Bump org.hibernate.orm:hibernate-core from 6.4.7.Final to 6.4.8.Final #14980
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.23 to 1.9.24 #15025
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.23 to 1.9.24 #15026
• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.8.0 to 1.8.1 #15053
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.13 to 4.33.15 #14945
• Bump org.springframework.data:spring-data-bom from 2024.0.0-RC1 to 2024.0.0 #15103
• Bump org.springframework:spring-framework-bom from 6.1.6 to 6.1.7 #15088

🔩 Build Updates

• Attach Antora Docs to Pull Requests #15061
• Bump com.github.spullara.mustache.java:compiler from 0.9.11 to 0.9.12 #14986
• Bump com.github.spullara.mustache.java:compiler from 0.9.12 to 0.9.13 #14999
• Bump io.spring.ge.conventions from 0.0.16 to 0.0.17 #14963
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.2 to 1.0.3 #14928
• Consider Adding a Build Updates section to the release changelog #15039

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Crain-32, @Kehrlann, @MrJovanovic13, @ch4mpy, @dependabot[bot], @joaquinjsb, @kse-music, @madorb, @rishiraj88, and @vvaadd

6.3.0-RC1

⭐ New Features

• [ISSUE-11725] Add secondary statusCode messages on error #14743
• Add Authorization Denied Handlers for Method Security #14712
• Add ClientAuthenticationMethod constants tls_client_auth and self_signed_tls_client_auth #14889
• Add reference documentation for Token Exchange #14698
• Add Value-Type Ignore Support #14780
• Allow customization of redirect strategy in CasAuthenticationEntrypoint #14881
• Create Authorized Proxy of Return Values #14669
• Handle SpEL AuthorizationDeniedExceptions #14882
• Improve logging in AuthenticationWebFilter #14764
• InitializeUserDetailsBeanManagerConfigurer inject PasswordEncoder into DaoAuthenticationProvider constructor #14766
• Provide Password (Compromised) Checking API #7395
• Simplification of creation of OAuth2TokenValidator with JwtValidators defaults. #14832
• Support Certificate-Bound (POP) JWT Access Token Validation #10538
• Support SpEL Returning AuthorizationDecision #14840
• Update reactive OAuth2 docs landing page with examples #14758

🪲 Bug Fixes

• SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException #14806
• docs: fix typo in FilterChainProxy #14861
• Fix continueOnError default value in java doc #14871
• ReactiveOAuth2AuthorizedClientManagerConfiguration has been created too early #14900
• Transactional annotation breaks AOT for native image #14866
• Update the documentation of AuthenticationProvider.java #14710

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.3 to 1.5.4 #14875
• Bump ch.qos.logback:logback-classic from 1.5.4 to 1.5.5 #14905
• Bump com.gradle.enterprise from 3.16.2 to 3.17 #14849
• Bump io.micrometer:micrometer-observation from 1.12.4 to 1.12.5 #14868
• Bump io.projectreactor:reactor-bom from 2023.0.4 to 2023.0.5 #14874
• Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #14820
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.1 to 1.0.2 #14785
• Bump org-aspectj from 1.9.21.2 to 1.9.22 #14800
• Bump org.gretty:gretty from 4.1.2 to 4.1.3 #14776
• Bump org.slf4j:slf4j-api from 2.0.12 to 2.0.13 #14906
• Bump org.springframework.ldap:spring-ldap-core from 3.2.2 to 3.2.3 #14893
• Bump org.springframework:spring-framework-bom from 6.1.5 to 6.1.6 #14892
• Upgrade to Spring Data Bom 2024.0.0-RC1 #14901

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Ali-Hassan33, @CrazyParanoid, @ThomasHagelberg, @dependabot[bot], @erie0210, @jzheaux, @kse-music, @marcusdacoregio, and @youngkih

6.2.4

🪲 Bug Fixes

• SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException #14805
• Address AuthorizationObservationConvention Package Tangle #14795
• bug org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector introspect method error #14848
• Transactional annotation breaks AOT for native image #14865

🔨 Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.12.4 to 1.12.5 #14867
• Bump io.projectreactor:reactor-bom from 2023.0.4 to 2023.0.5 #14873
• Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #14821
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.1 to 1.0.2 #14786
• Bump org-aspectj from 1.9.21.2 to 1.9.22 #14798
• Bump org.slf4j:slf4j-api from 2.0.12 to 2.0.13 #14907
• Bump org.springframework.data:spring-data-bom from 2023.1.4 to 2023.1.5 #14908
• Bump org.springframework.ldap:spring-ldap-core from 3.2.2 to 3.2.3 #14896
• Bump org.springframework:spring-framework-bom from 6.1.5 to 6.1.6 #14895
• Update org.opensaml:opensaml-core4 to 4.3.1 #14850

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot]

6.1.9

⭐ New Features

• Bump Gradle Wrapper from 8.6 to 8.7 #14796

🪲 Bug Fixes

• SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException #14634
• Address AuthorizationObservationConvention Package Tangle #14794
• bug org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector introspect method error #14847
• Transactional annotation breaks AOT for native image #14825

🔨 Dependency Upgrades

• Bump io.projectreactor:reactor-bom from 2022.0.17 to 2022.0.18 #14876
• Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #14823
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.1 to 1.0.2 #14783
• Bump org-aspectj from 1.9.21.2 to 1.9.22 #14799
• Bump org.slf4j:slf4j-api from 2.0.12 to 2.0.13 #14909
• Bump org.springframework:spring-framework-bom from 6.0.18 to 6.0.19 #14894

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot] and @github-actions[bot]

5.8.12

🪲 Bug Fixes

• Conditional check for data-source-ref is incorrect #14742

🔨 Dependency Upgrades

• Bump io.projectreactor.netty:reactor-netty from 1.0.43 to 1.0.44 #14878
• Bump io.projectreactor:reactor-bom from 2020.0.42 to 2020.0.43 #14877
• Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #14822
• Bump org.springframework:spring-framework-bom from 5.3.33 to 5.3.34 #14891

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @dependabot[bot]
• @sheriumair

6.3.0-M3

⭐ New Features

• Add ContinueOnError Support for Failed Authentications #14591
• Add DelegatingAuthenticationConverter #14655
• Add DelegatingServerAuthenticationConverter #14654
• Add JSON session support for SwitchUserGrantedAuthority #11758
• Add meta-annotation annotation parameter support #14494
• Add Programmatic Proxy Support for Method Security #14716
• Add support for configuring token-exchange via a bean #14701
• Add support for OAuth 2.0 Token Exchange Grant #14692
• Customize mapping the OidcUser from OidcUserRequest and OidcUserInfo #14672
• Fix Delegation-based Strategy with OidcUserService/OidcReactiveOAuth2UserService examples #12281
• Implement customization of rolePrefix in LdapUserDetailsManager #14574
• Introduce Customizable AuthorizationFailureHandler in OAuth2AuthorizationRequestRedirectFilter #14168
• Simplify configuration of reactive OAuth2 Client component model #13763

🪲 Bug Fixes

• Check for null Authentication #14667
• PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #14724
• Publishing PrePostTemplateDefaults creates circular dependency #14674

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.4.14 to 1.5.3 #14744
• Bump com.fasterxml.jackson:jackson-bom from 2.15.4 to 2.17.0 #14746
• Bump com.github.ben-manes:gradle-versions-plugin from 0.38.0 to 0.51.0 #14753
• Bump com.google.code.gson:gson from 2.8.9 to 2.10.1 #14737
• Bump com.gradle.enterprise from 3.12.6 to 3.16.2 #14760
• Bump com.nimbusds:oauth2-oidc-sdk from 9.43.3 to 9.43.4 #14695
• Bump io.freefair.gradle:aspectj-plugin from 8.4 to 8.6 #14755
• Bump io.github.gradle-nexus:publish-plugin from 1.1.0 to 1.3.0 #14761
• Bump io.micrometer:micrometer-observation from 1.12.3 to 1.12.4 #14718
• Bump io.mockk:mockk from 1.13.9 to 1.13.10 #14659
• Bump io.projectreactor:reactor-bom from 2023.0.3 to 2023.0.4 #14727
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #14707
• Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #14738
• Bump org.assertj:assertj-core from 3.24.2 to 3.25.3 #14748
• Bump org.gretty:gretty from 4.0.3 to 4.1.2 #14754
• Bump org.hibernate.orm:hibernate-core from 6.3.2.Final to 6.4.4.Final #14747
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.22 to 1.9.23 #14709
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.22 to 1.9.23 #14708
• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.7.3 to 1.8.0 #14739
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.4 to 4.33.13 #14735
• Bump org.mockito:mockito-bom from 5.5.0 to 5.11.0 #14736
• Bump org.sonarsource.scanner.gradle:sonarqube-gradle-plugin from 2.7.1 to 2.8.0.1969 #14752
• Bump org.springframework.data:spring-data-bom from 2023.1.3 to 2023.1.4 #14769
• Bump org.springframework:spring-framework-bom from 6.1.4 to 6.1.5 #14756
• Bump org.yaml:snakeyaml from 1.30 to 1.33 #14745

❤️ Contributors

Thank you to all the contributors who worked on this release:

@CrazyParanoid, @Haarolean, @daniel-shuy, @dependabot[bot], @jzheaux, @kse-music, @leewin12, @markusheiden, and @sjohnr